NON-CYCLIC SUBGROUPS OF JACOBIANS OF 
GENUS TWO CURVES 



CHRISTIAN ROBENHAGEN RAVNSH0J 

Abstract. Let E be an elliptic curve defined over a finite field. Balasubrama- 
nian and Koblitz have proved that if the i*^^ roots of unity /i^ is not contained 
in the ground field, then a field extension of the ground field contains fie if 
and only if the ^-torsion points of E are rational over the same field extension. 
We generalize this result to Jacobians of genus two curves. In particular, we 
show that the Weil- and the Tate-pairing are non-degenerate over the same 
field extension of the ground field. 

From this generalization we get a complete description of the ^-torsion 
subgroups of Jacobians of supersingular genus two curves. In particular, we 
show that for £ > 3, the £-torsion points are rational over a field extension of 
degree at most 24. 



1. Introduction 

In [To], Koblitz described how to use elliptic curves to construct a public key 
cryptosystem. To get a more general class of curves, and possibly larger group 
orders, Koblitz [II] then proposed using Jacobians of hypereUiptic curves. After 
Boneh and Franklin |2] proposed an identity based cryptosystem by using the Weil- 
pairing on an elliptic curve, pairings have been of great interest to cryptography 0. 
The next natural step was to consider pairings on Jacobians of hypereUiptic curves. 
Galbraith et al [7] survey the recent research on pairings on Jacobians of hyperel- 
liptic curves. 

The pairing in question is usually the Weil- or the Tate-pairing; both pairings 
can be computed with Miller's algorithm |14| . The Tate-pairing can be computed 
more efficiently than the Weil-pairing, cf. [5|. Let C be a smooth curve defined over 
a finite field F,, and let 3c be the Jacobian of C. Let £ be a prime number dividing 
the number of F^-rational points on the Jacobian, and let k be the multiplicative 
order of q modulo ^. By [8], the Tate-pairing is non-degenerate on ^(^(IFgfc)^- By 
[20^ Proposition 8.1, p. 96], the Weil-pairing is non-degenerate on 3cM- So if dc[P\ 
is not contained in 3c (IFgfc ) , then the Tate pairing is non-degenerate over a possible 
smaller field extension than the Weil-pairing. For elliptic curves, in most cases 
relevant to cryptography, the Weil-pairing and the Tate-pairing are non-degenerate 
over the same field: let E be an elliptic curve defined over Fp, and consider a prime 
number t dividing the number of Fp-rational points on E. Balasubramanian and 
Koblitz [I] proved that 

(1) ifi\p-l, then E[e\ C E{¥pk) if and only if £ \ / - 1. 
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By Rubin and Silverberg p[9j, this result also holds for Jacobians of genus two 
curves in the following sense: if i \ p — 1, then the Weil-pairing is non- degenerate 
on U X V , where U = 3c{^p)[^], V = ker((y9 — p) 3c[i] md ip is the p-power 
Frohenius endomorphism on 3c'- 

The result |[T| can also be stated as: if i \ p — 1, then E{¥pk)[£] is bicyclic if and 
only if l\ p^ — 1. In pT], the author generalized this result to certain CM reductions 
of Jacobians of genus two curves. In this paper, we show that in most cases, this 
result in fact holds for Jacobians of any genus two curves. More precisely, the 
following theorem is estabHshed. 

Theorem 6. Consider a genus two curve C defined over a finite field ¥q. Write 
the characteristic polynomial of the q"^ -power Frohenius endomorphism of the Jaco- 
hian 3c as 



where 2a, 4t £ 1. Let i he an odd prime numher dividing the numher of¥q-rational 
points on 3c, and with i \ q and £ \ q — I. If £ \ 4t, then 

(1) 3c(]Fq"0[^] is of rank at most two as a "E/lTj-module, and 

(2) 3c (I'q'" ) M is hicyclic if and only if £ divides — 1. 

If £ is a large prime number, then most likely £] 4r, and Theorem [6] applies. In 
the special case £ \ At we get the following result. 

Theorem 7. Let notation he as in Theorem\^ Furthermore, let ujm he a q™-Weil 
numher of 3c (cf- definition^, and assume that £ is unramified in K = Q(u;m)- 
Now assume that £\ At . Then the following holds. 

(1) Ifujm e Z, then £\q"'-l and 3c[e] C 3c{Pq'^). 

(2) //w™ i Z, then£\q^ - I, 3c{^q^M ^ (7Ll£Xf and 3c[l] C ac(VO if 
and only if £ \ g™*^ — 1. 

By Theorem [6] and [7| we get the following corollary. 

Corollary 10. Consider a genus two curve C defined over a finite field¥q. Let £ he 
an odd prime numher dividing the numher of ¥q-rational points on the Jacohian 3c, 
and with £ \ q. Let q he of multiplicative order k modulo £. If £ \ q ~ 1, then the 
Weil-pairing is non-degenerate on 3ci^qk)[£] x ^^(IFg*:)^- 

For the 2-torsion part, we prove the following theorem. 

Theorem 11. Consider a genus two curve C defined over a finite field ¥q of odd 
characteristic. Let 



he the characteristic polynomial of the q"^ -power Frohenius endomorphism of the 
Jacohian 3c ■ Assume \3c{¥q"^)\ is even. Then 



Now consider a supersingular genus two curve C defined over F^; cf. section [6l 
Again, let £ he a prime number dividing the number of F^-rational points on the 
Jacobian and let k he the multiplicative order of q modulo £. We know that k < 12, 
cf. Galbraith [5] and Rubin and Silverberg [18]. If £^ \ \3ciVq)\, then m many 



,2m 



P^{X) = X^ + sX^ + tX'^ + sq"'X + q- 



,2m 
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cases 3c'[i] ^ Sci^q''), cf. Stichtenoth [21j. Zhu t23j gives a complete description 
of the subgroup of Fq-rational points on the Jacobian. Using Theorem [6] we get 
the following explicit description of the £-torsion subgroup of the Jacobian of a 
supersingular genus two curve. 

Theorem 14. Consider a supersingular genus two curve C defined over ¥q. Let £ 
be a prime number dividing the number of ¥q-rational points on the Jacobian 3c, 
and with i \ q. Depending on the cases in table{^ we get the following properties 
ofdc- 

Case i: -q^ = q^ = I (mod £) and 3c[e] C Sci^q^). If £^2, then 3c(¥q)[£] 
is cyclic. 

Case II: q^ = 1 (modi), 3c[(] Q 3c{^q<i) and 3c{^q) is cyclic. If £ ^ 3, 

then q ^ I (mod £) . 
Case III: ~q^ = q^ = 1 (mod £) and3c[P\ Q 3c(JPq<^)- If ^ + 3, then3c^q)\£\ 

is cyclic. 

Case IV: qi^q^ = \ (mod £), 3c[(] C 3c{¥qio) and 3c{^q) is cyclic. 
Case v: q^q^ = 1 (mod £), 3c[i] Q 3c{Vqio) and 3ciVq) is cyclic. 
Case VI: -q^ = q^^ = I (mod £), 3c[i] C 3ciVg2i) and 3ciVq) is cyclic. 
Case Vll: q = 1 (mod £) and 3c[e] C Sci^q^)- If ^ 7^ then 3c{¥q)[£] is 
bicyclic. 

Case viii: -q=q^ = l (mod £) and3c[£] C 3c(F,2). If£ ^ 2, then 3ci¥q)[£] 
is bicyclic. 

Case IX: If £ ^ 3, then q ^ q^ = 1 (mod £), 3c[i] C dci^q^) and 3c(^qM 
is bicyclic. 

In particular, it follows from Theorem [14] that if £ > 3, then the ^-torsion points 
on the Jacobian 3c of a supersingular genus two curve defined over Fg are rational 
over a field extension of ¥q of degree at most 24, and 3c(Fg)[£] is of rank at most 
two as a Z/£Z-module. 

Assumption. In this paper, a curve is an irreducible nonsingular projective variety 
of dimension one. 



2. Genus two curves 

A hyperelliptic curve is a projective curve C C P" of genus at least two with a 
separable, degree two morphism (j> : C ^ F'^. It is well known, that any genus two 
curve is hypereUiptic. Throughout this paper, let C be a curve of genus two defined 
over a finite field ¥q of characteristic p. By the Riemann-Roch Theorem there exists 
a birational map ip : C ^F'^, mapping C to a curve given by an equation of the 
form 

where g,h £ ¥q[x] are of degree deg(5) < 3 and deg(/i) < 6; cf. [31 chapter 1]. 

The set of principal divisors J'(C) on C constitutes a subgroup of the degree zero 
divisors Divo(C). The Jacobian 3c of C is defined as the quotient 



ac =Divo(C)/5'(C). 
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Let £ p he a prime number. The ^"-torsion subgroup 2ic[£^] ^ 2ic of points of 
order dividing ^" is a Z/£"Z-module of rank four, i.e. 

ac[r] ~ z/rz X z/rz x z/rz x z/rz; 

cf. [la Theorem 6, p. 109]. 

The multiplicative order koiq modulo £ plays an important role in cryptography, 
since the (reduced) Tate-pairing is non-degenerate over F^t; cf. [8j. 

Definition 1 (Embedding degree). Consider a prime number t ^ p dividing the 
number of F^-rational points on the Jacobian 3c- The embedding degree of 2ic{^q) 
with respect to £ is the least number fc, such that q'^ = 1 (mod £). 

Closely related to the embedding degree, we have the full embedding degree. 

Definition 2 (Full embedding degree). Consider a prime number I ^ p dividing 
the number of F^-rational points on the Jacobian 2c- The full embedding degree 
oi^ic^q) with respect to I is the least number >ir, such that 3c [^] ^ 2ic^q'^)- 

Remark 3. If ac[^] C ScC^qx), then £ | cf. d Corollary 5.77, p. 111]. Hence, 

the full embedding degree is a multiple of the embedding degree. 

A priori, the Weil-pairing is only non-degenerate over F^x. But in fact, as we 
shall see, the Weil-pairing is also non-degenerate over F^t . 

3. The Weil- and the Tate-pairing 

Let F be an algebraic extension of Fg. Let x G 3c(F)[^] and y — J2i ^i^i ^ 2c{^) 
be divisors with disjoint supports, and let y € dc{^)/£dc{^) denote the divisor class 
containing the divisor y. Furthermore, let fx & F(C) be a rational function on C 
with divisor div(/:r) = ix. Set fx{y) = I\if{PiT"- Then ei{x,y) = fx{y) is a 
well-defined pairing 

et : dcimn X 3c(F)/£3c(F) FV(F^)^ 

it is called the Tate-pairing; cf. [6]. Raising the result to the power gives a 
well-defined element in the subgroup /x^ C F of the roots of unity. This pairing 

: 3c(F)[^] X ac(F)/f3c(F) y.^ 

is called the reduced Tate-pairing. If the field F is finite and contains the roots 
of unity, then the Tate-pairing is bilinear and non-degenerate; cf. [8]. 
Now let x,y € dc[£] be divisors with disjoint support. The Weil-pairing 

ee ■■ 2c[f] X 2c[£] ^ f^i 
is then defined by et{x,y) = . The Weil-pairing is bilinear, anti-symmetric 

and non-degenerate on 2ic [P\ x 2ic [P\ ', cf . [H] . 

4. Matrix representation of the endomorphism ring 

An endomorphism ^ : dc ^ 3c induces a Hnear map i[j : 3c[^] 3c[^] by 
restriction. Hence, ip is represented by a matrix M g Mat4(Z/ffl) on 3c[£]- Let 
/ € ^[X] be the characteristic polynomial of (see [L2\ pp. 109-110]), and let 
/ e (Z/^Z)[X] be the characteristic polynomial of i/J. Then / is a monic polynomial 
of degree four, and by Jl2l Theorem 3, p. 186], 

fix) ^ fix) (mod£). 
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Since C is defined over F,, the mapping {x,y) ^ {x^ ,y'^) is a morphism on C. 
This morphism induces the g-power Frobenius endomorphism </? on the Jacobian 2ic- 
Let P{X) be the characteristic polynomial of Lp. P{X) is called the Weil polynomial 
of , and 

iac(F,)i-p(i) 

by the definition of P{X) (see O pp. 109-110]); i.e. the number of F^-rational 
points on the Jacobian is P{1). 

Definition 4 (Weil number). Let notation be as above. Let Pm{X) be the charac- 
teristic polynomial of the (/"'-power Frobenius endomorphism iprn on 3c- Consider 
a number ujm & C with P„i{u!,n) — 0. If Pm{X) is reducible, assume furthermore 
that ujm and ipm are roots of the same irreducible factor of P„i{X). We identify ipm 
with ujm, and we call ujm a q'^-Weil number of 3c- 

Remark 5. A q™-Weil number is not necessarily uniquely determined. In general, 
Pm{X) is irreducible, in which case 3c has four g™-Weil numbers. 

Assume Pm{X) is reducible. Write PmiX) — f{X)g{X), where f,g £ Z[X] are 
of degree at least one. Since Pmifm) = 0, either f{(pm) = or gifm) — 0; if not, 
then either f{(pm) or g{^m) has infinite kernel, i.e. is not an endomorphism of 3c. 
So a g™-Weil number is well-defined. 

5. Non-cyclic torsion 

Consider a genus two curve C defined over a finite field F,. Let Pjn{X) be 
the characteristic polynomial of the (7™-power Frobenius endomorphism tpm of the 
Jacobian 3c- PJiX) is of the form Pm{X) = + sX^ + tX^ + sq"'X + q^"", 
where s, t e Z. Let ct = f and t = 2q"' + - t. Then 

Pn{X) =X-^ + 2aX^ + (2g™ + - t)X^ + 2aq"'X + q^"\ 

and 2(7, 4r e Z. 

Theorem 6. Consider a genus two curve C defined over a finite field ¥q. Write 
the characteristic polynomial of the q"^ -power Frobenius endomorphism of the Jaco- 
bian 3c IS 

Pn{X) =X^ + 2gX^ + (2g" + <T^ - t)X^ + 2aq"'X + g^™, 

where 2cr, 4t G Z. Let I be an odd prime number dividing the number of ¥ q-rational 
points on 3c, o,nd with l \ q and £ \ q — 1. If £\ 4t, then 

(1) 3c(F'qm)[^] is of rank at most two as a Z/£Z-module, and 

(2) 3c(F'q'")[^] is bicyclic if and only if £ divides — 1. 

Proof. Let Pm G (Z/^Z)[X] be the characteristic polynomial of the restriction of 
fm to 3c[£]- Since £ divides |£Jc(Fg)|, 1 is a root of Pm- Assume that 1 is a root of 
Pm of multiplicity ly. Since the roots of Pm occur in pairs (a,g™/a), also is a 
root of Pm of multiphcity v. 

If Sci^q-^M is of rank three as a Z/£Z-module, then £ divides g'" - 1 by [2 
Proposition 5.78, p. 111]. Choose a basis "B of 3c[P\- With respect to S, ipm is 
represented by a matrix of the form 

"10 mi' 

1 7712 
1 7773 
7774 
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Now, 7714 = detM = degipra = g^'" = 1 (mod £). Hence, Pm{X) = {X ~ 1)^. By 
comparison of coefficients it follows that 4t = (mod i) , and we have a contradic- 
tion. So 3c(]Fq"0M is of rank at most two as a Z/i?Z-module. 

Now assume that cJc(lFg™)[^] is bicyclic. If ^ 1 (mod £), then 1 is a root of 
P„ of multiplicity two, i.e. P,„(X) ^ (X - ifiX - q"^f. But then it follows by 
comparison of coefficients that 4t = (mod t), and we have a contradiction. So 
= 1 (mod £), i.e. ^ divides g™ — 1. On the other hand, if i divides g™ — 1, then 
the Tate-pairing is non-degenerate on tJc (I^'g™ ) [^] , i-e. 3c(IF(}'")M must be of rank 
at least two as a Z/ffl-module. So 3c (H^q"" ) [^] is bicyclic. □ 

If ^ is a large prime number, then most likely £| 4r, and Theorem [6] applies. In 
the special case £ | 4t we get the following result. 

Theorem 7. Let notation he as in Theorem Furthermore, let ujm be a q^- 
Weil number of 3c, o,nd assume that £ is unramified in K — Q{lu„i)- Now assume 
that £ \ At. Then the following holds. 

(1) Ifujm e Z, then ^ | g" - 1 and 3c[£] C 3c{^q'^)- 

(2) //w™ i Z, then£\q'" - 1, 3c{Vq^)[£] {Z/£Z)^ and 3c[£] C ac(F,™.) if 
and only if£\q"^''-l. 

Remark 8. A prime number £ is unramified in K if and only if £ divides the dis- 
criminant of the field extension K/Q; see e.g. |16[ Theorem 2.6, p. 199]. Hence, 
almost any prime number £ is unramified in K. In particular, if £ is large, then £ is 
unramified in K. 

The special case of Theorem [7| does occur; cf. the following example [H 

Example 9. Consider the polynomial P{X) = {X'^+X + 3)'^ G Q[X]. By [T3] and f9] 
it follows that P{X) is the Weil polynomial of the Jacobian of a genus two curve C 
defined over F3. The number of Fa-rational points on the Jacobian is P{1) = 25, 
so £ = 5 is an odd prime divisor of |tJc(]F3)| not dividing q = p = 3. Notice that 
P{X) = X'^ + 2aX^ + (2p -I- a^)X^ + 2apX+p (mod £) with a = I. The complex 
roots of P{X) are given by a; = ^^^^^^^ and w, and £ is unramified in K ~ Q{uj). 
Since 3 is a generator of (Z/5Z)^, it follows by Theorem [7] that dcO^a) ^ (Z/ffl)^ 
and 3c[£] C ac(F8i). 

By Theorem El and [7| we get the following corollary. 

Corollary 10. Consider a genus two curve C defined over a finite field¥q. Let £ be 
an odd prime number dividing the number of V q-rational points on the Jacobian 3c, 
and with £ \ q. Let q he of multiplicative order k modulo £. If £ \ q — 1, then the 
Weil-pairing is non-degenerate on 3c{¥qi')[£] x 3c(Fgfc)[f]. 

Proof. Let 

Pk{X) =X^ + 2aX^ + (2g'^ + ct^ - t)X'^ + 2aq^X + q^'' 

be the characteristic polynomial of the g'^-power endomorphism on the Jacobian 3c- 
If £ I 4t, then 3c[£] = Sci'^q'-W] by TheoremEl and the corollary follows. 

Assume £ \ 4r. Let U = 3c{Vq)[£] and V = ker(i^ - g) n 3c[£], where ip is the g- 
power Frobenius endomorphism on 3c- Then the Weil-pairing ew is non-degenerate 
on [/ X y by [19]. By Theorem [fil we know that V = 3c{¥q>')[£] \ 3c(F,)[^] and 
that 

ac(V)M -^U^V ~ Z/£Z X Z/£Z. 
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Now let X e 3c (IFq'' ) [^] be an arbitrary F^t -rational point of order £. Write x = xu + 
xv, where xu & U and xy € V. Choose y G V and z e U, such that ew{xu, y) 7^ 1 
and ewixv, z) ^ 1. We may assume that ew{xu, y)Gw(xv, z) ^ 1; if not, replace 
z with 2z. Since the Weil-pairing is anti-symmetric, ewixuiz) = ew{xv,y) = 1- 
Hence, 

ew{x, y + z) = ew{xu, y)ew{xv, z) ^ 1. 

□ 



Proo/ of Theorem We see that 

P^{X) = {X^ +aX + q"'f (mod^); 
since Pm(l) = (mod £), it follows that 

P„(X) = (X-l)2(X-g™)2 (mod£). 

Assume at first that Pm(X) is irreducible in Q[X]. Let Qk denote the ring of 
integers of K. By [16, Proposition 8.3, p. 47], it follows that iOx = ■Cf-Ci; where 
£i = {t^oj^n — 1)£)k and £2 = (^,i^m — <i)Ok- In particular, I ramifies in if, and 
we have a contradiction. So Pm{X) is reducible in 

Let / e be the minimal polynomial of u)m- If deg/ = 3, then it follows as 

above that i ramifies in K . So deg / < 3. Assume that deg / — 1, i.e. that ujm G Z. 
Since = g™, we know that cj,„ = iq^/^. So /(X) X T 9"/^- Since /(X) 
divides P{X) in Z[X], either f{X) = X-l (mod ^) or f{X) = X- (mod I). 
It follows that g'" = 1 (mod I). Thus, ee ±1 (mod ^). If w„ ee -1 (mod I), 
then does not fix 3c (I^g™ ) [^] • This is a contradiction. Hence, = 1 (mod t). 
But then is the identity on 3c[£]- Thus, if tOm G Z, then 8c[£] C 3c(IF(2"')- 

Assume LUm i 1. Then deg / = 2. Since /(X) divides P{X) in it follows 

that 

f{X) = {X-l)(X-r) {modi)- 

to see this, we merely notice that if f{X) is equivalent to the square of a polynomial 
modulo then £ ramifies in K . Notice also that if 5™ = 1 (mod 1), then (. ramifies 
in K. So ^ 1 (mod €). 

Now let U = ker(v?„ - 1)^ n JcM and V = ker(v3™ - q"' f n ac[^]- Then [/ and 
V are (^m-invariant submodules of the Z/i'Z-module 3c M of rank two, and dc[(] — 
U ®V . Now choose xi € C/, such that Lpm{xi) = a;i, and expand this to a basis 
{xi,X2) of U. Similarly, choose a basis (0:3, 0:4) of V with Lpmix^) = qx^. With 
respect to the basis (xi, X2, 2:3, ^4), Lpm is represented by a matrix of the form 



M 



1 


a 











1 
















/3 














Let g™ be of multiplicative order k modulo i. Notice that 



ka 
1 








1 
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Hence, the restriction of f'^-^ to 3c M has the characteristic polynomial {X — !)■*. 
Let Pmk{X) be the characteristic polynomial of the (/'"'''-power Frobenius endo- 
morphism (fmk = of the Jacobian 2c- Then 

PrnkiX) ^ {X - If {modi). 

Since ujm is a (/"'-Weil number of 2c, we know that oj^ is a g'^'^-Weil number of 2c- 
Assume ^ Q. Then K — Q(ijj^). Let h £ 'L\X\ be the minimal polynomial 
of LJ^j. Then it follows that h{X) = {X — 1)^ (mod I), and I ramifies in K. So 
S Q, i.e. /i is of degree one. But then h{X) = X — \ (mod 1), i.e. = 1 
(mod i). So t/?^ is the identity map on 2c\f\- Hence, ~ I, i.e. a = (3 = 
(modi). Thus, (pm is represented by a diagonal matrix diag(l, 1, g™, g"') with 
respect to {xi,X2,x^,X4). The theorem follows. □ 

For the 2-torsion part, we get the following theorem. 

Theorem 11. Consider a genus two curve C defined over a finite field ¥q of odd 
characteristic. Let Prn{X) ^ X'^ + sX^ + tX'^ + sq"^X + g^™ be the characteristic 
polynomial of the q"^ -power Frobenius endomorphism of the Jacobian 2c- Assume 
\2c{^q"^)\ is even. Then 



3c(F^4™), if s is even; 
2c{^q^"^), if s is odd. 



2c[2] c 

Proof. Since q is odd, 

Pra{X) = X^ + sX^ + tX^ + sX + 1 (mod 2). 

Assume at first that s is even. Since Pm(l) is even, it follows that t is even; but 
then 

P^{X) = {X -if = X^ -I (mod 2). 

Hence, 3c[2] C 2c{^q'^"^) in this case. 

Now assume that s is odd. Again t must be even; but then 

Pm{X) = (X^ ~ 1){X^ + X + 1) (mod 2). 

Since f{X) = + X + 1 has the complex roots ^ = ± i%/3), and Sf = 1, it 

follows that 3c [2] C 3c(IFg8m) in this case. □ 

6. SUPERSINGULAR CURVES 

Consider a genus two curve C defined over a finite field of characteristic 
p. C is called supersingular, if 2c has no p-torsion. From [13] we have the following 
theorem. 

Theorem 12. Consider a polynomial f G Z[X] of the form 

fix) = fs,t{X) =X^ + sX^ + tX^ + sqX + (7^, 

where q = p"". If f is the Weil polynomial of the .Jacobian of a supersingular genus 
two curve defined over the finite field ¥q, then (s, t) belongs to table{M 

Remark 13. By [9], in each of the cases in table [T] we can find a q such that fs,t{X) 
is the Weil polynomial of the Jacobian of a supersingular genus two curve defined 
over Fg. 
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Table 1. Conditions for f = + sX^ + tX'^ + sqX + to be 
the Weil polynomial of the Jacobian of a supersingular genus two 
curve defined over Fg , where q — p"". 



Case 


(s,t) 


Condition 


I 


(0,0) 


a odd, p 7^ 2, or a even, p ^ 1 (mod 8). 


II 


(0,9) 


a odd. 


III 


(0,-g) 


a odd, p 3, or a even, p ^ 1 (mod 12). 


IV 




a even, p ^ 1 (mod 5). 


V 


{±V5q,3q) 


a odd, p = 5. 


VI 




a odd, p = 2. 


VII 


(0,-2(7) 


a odd. 


VIII 


(0,2(7) 


a even, p = I (mod 4). 


IX 


(±2^9,3(7) 


a even, p = 1 (mod 3). 



Using Theorem [H [7] and [12] we get the following explicit description of the £- 
torsion subgroup of the Jacobian of a supersingular genus two curve. 

Theorem 14. Consider a supersingular genus two curve C defined over ¥q. Let £ 
be a prime number dividing the number of ¥q-rational points on the Jacobian 3c, 
and with I \ q. Depending on the cases in table\^ we get the following properties 
of 2c. 

Case i: -q^ = = i (mod I) and 3c[(] C 3c(V)- ^/^ 7^ 2, then Sci^qM 
is cyclic. 

Case II: q^ = 1 (mod ^), 2c[P\ C 2c{^q<^) and 2c{^q) is cyclic. If £ ^ 3, 

then q ^ I (mod £) . 
Case III: -q^ = q^ = 1 (mod £) and'ScV] ^ 3ci^q<^)- If ^ + 3, then2c^qW\ 

is cyclic. 

Case IV: qi^q^ = \ (mod £), 3c[e] ^ 3c{fq^o) and 3c{¥q) is cyclic. 
Case v: q ^ q'^ = I (mod £), dci^] Q dciVgio) and Sci^q) is cyclic. 
Case VI: -q^ = q^^ = I (mod £), 2c[£] C 3c{¥q24) and 3c{¥q) is cyclic. 
Case Vll: q = 1 (mod £) and 3c[i] Q 3c(]Fg2). If £ ^ 2, then 3c{^qM is 
bicyclic. 

Case VIII: -q=q^ = l (mod £) and3c[(] Q 3c(F,2). If£ ^ 2, then3c{^qM 
is bicyclic. 

Case IX: If £ ^ 3, then q ^ q^ = I (mod £), 3c[i] C 3ci¥q3) and 3c{^qW] 
is bicyclic. 

Corollary 15. If £ > 3, then the full embedding degree with respect to £ of the 
Jacobian 3c of a supersingular genus two curve defined over ¥q is at most 24, 
and 3c{^q)['^] is of rank at most two as a 1/ £'l-module. 

Proof of Theorem [T^ In the following we consider each case in table [1] separately. 
Throughout this proof, assume that 

f{X) = X^ + sX^ + tX^ + sqX + q^ 

is the Weil polynomial of the Jacobian 3c of some supersingular genus two curve C 
defined over the finite field Fg of characteristic p, and let be a prime number 
dividing /(I). 
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The case s = 0. First consider the cases i, ii, ill, Vii and Viii of table [H 

Case I. If (s,t) = (0,0), then /(I) = 1 + = Q (mod £), i.e. = -1 (mod £). 
So f{X) = - I (mod I), q^ = 1 (mod I) and dc[i] C 3c(V)- r = 2q in 
Theorem El so if ^ 2, then ac(Fg)[£] is cyclic. 

Case II. If (s,t) = (0, g), then the roots of / modulo I are given by ±1 and ±g. 
Since /(I) = ^ ^ ^ ^ q (mod ^), we know that q = ± ^/^) (mod i). It 

follows that q^ = 1 (mod and ac[^] C 3c(IFg6)- If ^ = 2, then p ^ 2, and /(I) is 
odd. So £ 7^ 2. T = g in Theorem [6l so dc{^q) is cyclic. 

Case III. If (s, = (0, — g), then the roots of / modulo £ are given by ±1 and ±g. 
Since /(I) - g + 1 = (mod £), we know that q = \{l ± ^f^) (mod t). It 
follows that 9^ = 1 (mod t) and ^ ac(F,6)- As in case II, £ ^ 2. Now r = 3g, 
so if £ ^ 3, then 2c{Vq)[e\ is cyclic. 

Case VII. If (s, t) = (0, -2g), then q = 1 (mod ^) and f{X) = (X^ - qf . Since 9 is 
an odd power of p, X'^ — g is irreducible over Q. So by [22^, Theorem 2], 3c — E x E 
for some supersingular elliptic curve i?. It follows that dc[^] ^ ^Jc(I*'g2). r = 4(7, so 
if £ 7^ 2, then 3c{VqM is bicyclic. 

Case VIII. If (s,t) = (0,2g), then q = -1 (mod ^) and f{X) = {X^ + qf . Since 
X^ + g is irreducible over Q, it follows that 3c — E x E for some supersingular 
elliptic curve E. So = 1 (mod i) and 3c[i] ^ 3c(^q^)- r = and w = 
is a g-Weil number of 3c- Since g is an even power of p, K — Q{lj) — Q{i) is of 
discriminant cIr = —4. Hence, if ^ 7^ 2, then 3c(lFg)[^] is bicyclic by Theorem[7l 

Case iv-vi. Now we consider the cases IV, V and VI of table [H 

Case IV. If (s, t) = {^/q, q), then 4t = 5q in Theorem[6l Since /(I) is odd, we know 
that £ ^ 2. If £ divides 4r, then £ ~ 5; £ ] q, since C is supersingular. But then 
/(I) — q^ + q^ + q + +1 = (mod 5), i.e. q = 2 (mod 5). Since a is even 
and 2 is not a quadratic residue modulo 5, this is impossible. So ^ -j" 4t. If g = 1 
(mod £), then /(I) = 5 (mod £), i.e. £ = 5. But then £ divides 4r, a contradiction. 
So ac(Fg) is cyclic by Theorem H From /(I) = (mod £) it follows that 9^ = 1 
(mod £). Since the complex roots of / are of the form y^^, where ^ is a primitive 
gth of unity, it follows that 3c[£] ^ dci^q^o). The case (s,t) = {—y/q,q) follows 
similarly. 

Case V. If (s, t) — {^/5q, 3q) and p = 5, then 4r is a power of 5 in Theorem[6l Since 
/(I) is odd, we know that £ ^ 2. li£ divides 4t, then £ = 5. Since C is supersingular 
and defined over a field of characteristic p — 5, this is a contradiction. So £ | 4t. 
If g = 1 (mod £), then /(I) = 5 + 2\/5 = (mod £), and it follows that £ = 5. 
So ac(ff'g) is cyclic by Theorem H From /(I) = (mod £) it follows that q^ = 1 
(mod £). Since the complex roots of / are of the form y/q^, where ^ is a primitive 
10^^ root of unity, it follows that 3c[£] Q 3c(F,io). The case (s,t) = {-^/5q,3q) 
follows similarly. 
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Case VI. If (s,t) — {y/2q,q) and p = 2, then 4t = 3 • 2" for some number a e N. 
Hence, if £ divides 4t, then £ ^ 3. But 3 | /(I); thus, ^ -f 4t. If g = 1 (mod £), 
then /(I) = 3 + 2^2 = (mod £), and it follows that £ = 1. So 3c{Pq) is cyclic 
by Theorem [6l From /(I) = (mod £) it follows that = —1 (mod ^). Since the 
complex roots of / are of the form y^^, where ^ is a primitive 24"^ root of unity, 
it follows that 3c[£] ^ dci^q'^i-)- The case (s.t) — (—^/2q,q) follows similarly. 

Case IX. Finally, consider the case ix. Assume that (s,t) ~ (— 2y^, 3q). We see 
that f{X) = giX)"^, where g{X) = — y/qX + q. Since the complex roots of g are 
given by ^{l±^/^)^, g is irreducible over Q. So by [22] Theorem 2], 8c - Ex E 
for some supersingular elliptic curve E. Hence, either 3c(JFg)[^] is bicyclic or equals 
the full ^-torsion subgroup of 3c ■ 

Assume 3c{^q)[£] = 3c[£]- Then q = 1 (mod £), i.e. ^ = ±1 (mod £). But 
then /(I) = 9 = (mod £) or /(I) = 1 = (mod £), i.e. ^ = 3. 

Since /(I) = (1 - ^ + q)^ = (mod ^), we know that q = i(-l ± 7=3) 
(mod ^). So g'^ = 1 (mod £). Since ^ ^ 3, it follows that q ^ I (mod ^). Hence, 
3c[£] Q 3ci^q'^) by the non-degeneracy of the Tate-pairing. 

The case (s,t) = i2y^,3q) follows similarly. □ 
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